Internal Cybersecurity Penetration Tester

Job Description

The Cybersecurity Internal Penetration Tester will be responsible for conducting internal penetration tests on the bank’s infrastructure, applications, and controls. This role combines hands-on technical experience in conducting penetration tests and simulating real-world attacks on corporate environments with close collaboration with security, IT, development, and risk teams to proactively identify, exploit, and remediate vulnerabilities in critical banking systems.

Tasks

• Planning, scope, and execution of internal penetration tests on core banking platforms and business applications, with a focus on services that support critical and key functions.
• Development of test scenarios based on realistic banking threat models (fraud, data exfiltration, privilege escalation, lateral movement to critical systems, etc.).
• Conducting hands-on tests on internal networks, servers, endpoints, web applications, APIs, cloud environments, Active Directory, and other core infrastructure systems.
• Documentation of results in clear, risk-based reports that include evidence and actionable remediation instructions for both technical and non-technical audiences.
• Work closely with infrastructure, development, DevOps, and risk teams to support remediation plans and retesting, ensuring that critical findings are tracked and resolved as part of the LCT and governance processes.
• Development and maintenance of internal testing methods, playbooks, and tools to support repeatable and efficient assessments.
• Collaborate with SOCs or on-demand testing teams to implement and improve detection and response capabilities.
• Stay up to date on new threats, vulnerabilities, TTPs, etc., and incorporate them into internal testing.

Requirements

• A background in cybersecurity, computer science, or related fields.
• 3–5 years of hands-on penetration testing or red team experience, with a proven track record of working on internal networks, web applications, and APIs; a background in both offensive and defensive security is a strong plus.
• Strong understanding of network protocols, operating systems (Windows, Linux), web and cloud technologies; familiarity with core banking architectures is a plus.
• Proficiency in common offensive tools and techniques (e.g., Burp Suite, Metasploit, Cobalt Strike-like frameworks, Kali-based tools) and the ability to perform manual testing beyond the scope of these tools.
• Solid knowledge of secure coding practices and common application vulnerabilities (e.g., OWASP Top 10) for assessing web and API targets.
• Professional certifications such as OSCP, GCP, or similar offensive security certifications that are current.
• Strong communication skills and the ability to explain complex technical findings to both technical and non-technical audiences.

We offer

• A supportive environment where your contributions are valued and recognized.
• A dynamic work environment with opportunities for continuous improvement.